Canvas hacked by criminal extortion group ShinyHunters — here’s everything students, parents, and teachers need to know right now.
Canvas hacked. Two words that sent millions of students into a panic this week at the worst possible time — right in the middle of finals season. If you tried to log into Canvas and saw a threatening ransom message instead of your assignments, you weren’t alone. Millions of students and teachers across the US and around the world experienced the exact same thing.
Here’s the full breakdown of what happened, what data was stolen, and what you need to do right now.
Canvas Hacked: What Happened?
On April 29, 2026, Instructure — the company behind Canvas — first detected unauthorized activity in its systems. By May 1, the company confirmed that hackers had exploited a vulnerability and gained access, forcing it to shut down parts of its service including Canvas Data 2 and Canvas Beta.
Then on May 7, things escalated dramatically. Students logging into Canvas were redirected to a page displaying a ransom message from the hackers themselves — a criminal extortion group called ShinyHunters. The Canvas hacked message threatened to release stolen data unless a ransom was paid. The group claims to have breached nearly 9,000 schools worldwide and stolen a staggering 275 million records, including billions of private messages.
Schools across the US, UK, Australia, New Zealand, Sweden, and the Netherlands all reported disruptions or confirmed exposure of user data.
Who Are ShinyHunters — The Group Behind Canvas Hacked?
This isn’t some mysterious government-backed cyber unit. According to threat analyst Luke Connolly at cybersecurity firm Emisoft, ShinyHunters is a loose group of teenagers and young adults based primarily in the US and UK. That’s right — kids hacking kids.
The group has a well-documented track record. They were previously tied to a major breach of Live Nation’s Ticketmaster subsidiary. Their playbook is simple: break in, steal data, post a public threat, set a deadline, demand payment. Schools have until May 12 to negotiate a settlement — or face a full public data dump.
The hackers even called out Instructure directly in their Canvas hacked ransom note, writing that instead of contacting them to resolve the issue, the company “ignored us and did some ‘security patches.'”
What Data Was Stolen in the Canvas Hacked Breach?
This is the question every student, parent, and teacher needs answered. According to Instructure and notifications sent out by affected schools including George Mason University and the University of California system, the Canvas hacked data exposure includes:
- Student and faculty names
- Email addresses
- Student ID numbers
- Private messages sent within Canvas
Instructure states there is currently no indication that passwords, Social Security numbers, dates of birth, or financial information were compromised. But investigations are still actively ongoing — what the company “currently” knows and what was actually taken may turn out to be two very different things.
Which Schools Were Affected by Canvas Hacked?
The list of schools impacted by the Canvas hacked incident is enormous and still growing. Confirmed affected institutions include:
Harvard, MIT, Duke University, Penn State, University of Pennsylvania, University of Illinois, Illinois State University, University of Chicago, the entire University of California system, Sacramento State, Wake County Public Schools, and thousands more across the US and internationally.
The University of Illinois postponed final exams and assignments for an entire weekend because of the Canvas hacked outage. The University of California instructed all UC campuses to block Canvas access entirely. North Carolina’s Department of Public Instruction pulled Canvas from its statewide sign-on portal indefinitely.
As one cybersecurity expert put it plainly: “The one thing that stands out with this attack is it’s sector-wide. We have a vendor used by almost the majority of education institutions around the country.”
How Did the Canvas Hacked Attack Happen?
Instructure confirmed the hackers broke in through Free-For-Teacher accounts — a type of account the company has since temporarily shut down. This gave ShinyHunters a foothold into the broader system, from which they were able to access data across thousands of connected institutions globally.
It is a reminder of something cybersecurity professionals repeat constantly: a chain is only as strong as its weakest link. One underprotected account type became the entry point for the Canvas hacked breach that is now affecting millions of people worldwide.
Is Canvas Back Online After Being Hacked?
As of May 8, Instructure confirmed that Canvas is fully back online. Several schools including the University of Oklahoma confirmed access was restored. However, many institutions are keeping access restricted or under close monitoring while investigations continue.
The May 12 deadline set by ShinyHunters remains active. Whether schools pay, negotiate, or refuse will directly determine what happens to the stolen data. No institution has publicly confirmed making a payment as of this writing.
What Should You Do If Canvas Hacked Affected Your School?
Even if passwords were not confirmed stolen in the Canvas hacked breach, here is exactly what you should do today:
1. Change your Canvas password immediately. It costs nothing and reduces your risk significantly.
2. Watch for phishing emails. Hackers now have your name and email address — the perfect ingredients for a targeted scam. If you receive any email asking for login credentials, do not click anything.
3. Enable two-factor authentication on your school email and any accounts connected to Canvas.
4. Check your school’s official update page. Don’t rely on social media rumors for Canvas hacked news — go directly to your institution’s IT or communications page.
5. Be suspicious of unexpected Canvas messages. Private messages were reportedly part of the stolen data, meaning bad actors could impersonate classmates or faculty.
The Bigger Picture: Why Canvas Hacked Is So Significant
The Canvas hacked attack is part of a growing and deeply troubling pattern. Schools have become prime targets for cybercriminals because they hold enormous amounts of personal data — student records, contact information, private communications — and are historically underfunded when it comes to cybersecurity.
ShinyHunters didn’t hack one school. They didn’t hack one district. They hacked the platform that powers digital education for millions of students worldwide, all at once. The Canvas hacked incident is not just a data breach — it is a wake-up call for the entire education technology industry.
Whether Instructure pays, how much data gets leaked, and how institutions respond before the May 12 deadline will define how bad this ultimately becomes. But one thing is already certain — if you used Canvas this semester, your personal information was in the hands of criminals this week.
Change your passwords. Watch your inbox. And stay tuned.