A cyberattack claimed by the ShinyHunters group has disrupted access to the widely used educational SaaS platform Canvas, with the crew alleging lax security practices enabled the breach and threatening to leak stolen institutional data unless a settlement is reached by May 12, 2026. The outage has forced many universities to grant automatic assignment extensions to students who submit work through the platform.
Widespread Canvas outage disrupts global education workflows
Students, professors, and administrative staff at thousands of educational institutions worldwide faced unexpected disruption this week after a cyberattack knocked the widely used learning management system Canvas offline, with the notorious ShinyHunters hacking group claiming responsibility for the incident. The disruption hit just as many Northern Hemisphere institutions were wrapping up spring semester assignments, handing students an unplanned reprieve from deadlines. One university student, the child of a Register reporter, shared an email from their institution stating access to Canvas would be blocked until administrators could assess the risk of data leakage, with all upcoming assignment deadlines automatically extended.
Canvas, developed by Utah-based Instructure, is one of the most widely adopted learning management systems globally, used by K-12 schools, universities, and corporate training programs to distribute course materials, collect assignments, host discussion boards, and manage grades. It serves millions of users across thousands of institutions, making any prolonged outage or data breach a high-impact event.
Instructure first acknowledged the incident on May 2, 2026, with Chief Information Security Officer Steve Proud posting a brief statement to the company's Status Page. "We recently experienced a cybersecurity incident perpetrated by a criminal threat actor," Proud wrote, adding that the company was working with outside forensics experts to investigate the scope of the breach and minimize impact. Instructure has not shared further details about the nature of the attack, the root cause, or how many users or institutions have been affected.
Earlier this week, students and staff attempting to log into Canvas reported seeing messages from an entity claiming to be the ShinyHunters group, a well-known threat actor with a track record of targeting SaaS providers, e-commerce platforms, and tech companies. The group claimed the outage was the result of lax patching practices at Instructure, which allowed them to gain unauthorized access to internal systems. ShinyHunters also alleged they had stolen data belonging to Canvas institutional customers, and threatened to leak the information publicly unless a "settlement" was paid by May 12, 2026.
ShinyHunters has been active since at least 2020, and has claimed responsibility for multiple high-profile data breaches in recent years. Past incidents linked to the group include a leak of 119,000 Vimeo email addresses, a vishing attack on a major real estate firm, an 8.2 million record breach at Pitney Bowes, and a campaign that impersonated help desk staff to abuse Microsoft Teams and steal corporate credentials. The group typically steals data from targets, then demands extortion payments to prevent public leaks, often listing stolen datasets for sale on dark web forums if payment is not made. Users can check if their email addresses have been involved in known ShinyHunters breaches using tools like Have I Been Pwned.
As of Thursday evening US time on May 7, Instructure said Canvas was available "for most users," but declined to offer further comment on the investigation or the group's claims. Many individual institutions have posted their own notices to students and staff, most of which echo Instructure's vague guidance while warning of heightened phishing risks in the wake of the breach. Several universities advised students that any assignments due during the outage period would be granted automatic extensions, as Canvas is the required submission platform for most courses.
Why edtech is a frequent target
This incident fits a broader pattern of cybercriminals targeting education technology platforms, which hold massive troves of sensitive data including student and staff Social Security numbers, financial aid information, tuition payment details, and proprietary academic research. Unlike enterprise SaaS providers that serve corporate clients with dedicated security teams, many edtech vendors serve institutions with limited cybersecurity resources, creating a target-rich environment for groups like ShinyHunters. Education has consistently ranked among the most targeted sectors for ransomware and data theft attacks in recent years, with K-12 and higher education institutions facing frequent attempts to gain unauthorized access to their systems.
Unverified claims and mixed impact
ShinyHunters' claim that the breach resulted from poor patching practices has not been verified by independent researchers or Instructure. While unpatched vulnerabilities are a common entry point for cyberattacks, even organizations with rigorous patch management programs can fall victim to zero-day exploits, phishing campaigns targeting employees, or supply chain compromises. Some security researchers note that SaaS providers like Instructure have a heightened responsibility to maintain strict security standards, as their customers often lack the technical ability to audit or harden the platforms they rely on. Others argue that educational institutions share some liability, as many fail to enable available security features like multi-factor authentication for Canvas accounts, or train staff and students to recognize phishing attempts that could lead to credential theft.
The impact of the outage has also drawn mixed reactions. While students with upcoming deadlines have welcomed unplanned extensions, others rely on Canvas to access course materials, check grades, and communicate with professors, particularly for online or hybrid programs. For students with limited internet access outside of campus systems, prolonged outages can create significant barriers to completing coursework. Institutions that blocked access to Canvas entirely to mitigate data leak risks have had to balance protecting sensitive information against disrupting teaching and learning workflows.
What comes next
The May 12 deadline set by ShinyHunters is fast approaching, and it remains unclear whether Instructure or affected institutions will engage with the group's demands. Law enforcement agencies generally advise against paying ransom or extortion demands, as it encourages further attacks and does not guarantee that stolen data will be deleted. Instructure has not indicated whether it plans to provide credit monitoring or identity theft protection services to affected users, a common step after breaches involving personal data.
This is an evolving story. The Register will update it as more information becomes available.
Comments
Please log in or register to join the discussion