ShinyHunters hit Canvas LMS for the second time. 275 million student records, 9,000 schools.

Instructure, the company behind Canvas LMS, confirmed on May 3 that ShinyHunters breached its platform and stole data from approximately 9,000 schools and universities worldwide. The group claims 275 million records and 3.65 terabytes of exfiltrated data, including private messages between students and teachers.

This is the same attacker that hit Instructure’s Salesforce environment eight months ago. The patches from that first breach didn’t stop a second one. And the timing is brutal: the breach disrupted Canvas access during finals week at universities and end-of-year testing at K-12 schools across the US.

Doug Thompson, a cybersecurity researcher at Tanium, told Inside Higher Ed what’s changed: “Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.” One breach, 9,000 schools.

What was taken

ShinyHunters’ darknet post lists names, email addresses, student IDs, enrolled courses, and what the group calls “several billions of private messages.” Instructure says passwords, dates of birth, government identifiers like Social Security numbers, and financial information were not part of the compromised dataset.

The list of named institutions reads like an admissions brochure: Harvard, MIT, Stanford, Oxford, Cambridge, Columbia, Princeton, UC Berkeley, and dozens more. But the K-12 exposure is arguably worse. Wake County in North Carolina pulled Canvas from its student portal entirely. Durham Public Schools, Orange County Schools, and at least six other NC districts are also on ShinyHunters’ list.

Canvas is used by 41% of North American higher-education institutions and over 7,000 organizations globally. When one vendor gets popped, the blast radius isn’t measured in companies. It’s measured in classrooms.

The ransom deadline was May 7, later extended to May 12. ShinyHunters posted on its darknet forum: “everything is leaked and there will be no chance at a negociation for anyone.” The typo is theirs.

How it happened (again)

The September 2025 breach used social engineering against Instructure’s Salesforce environment. This time, ShinyHunters exploited cloud application integrations, registering malicious connected apps and using compromised credentials to access Canvas’s cloud systems. MITRE ATT&CK maps it to T1671 (Cloud Application Integration abuse) and T1567 (Exfiltration Over Web Service), with Python scripts automating the data extraction.

ShinyHunters taunted Instructure publicly: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

Instructure CISO Steve Proud told Fox 9: “We are actively investigating this incident with the help of outside forensics experts.” The company has revoked privileged credentials, rotated application keys, shut down Canvas Data 2 and Canvas Beta during the investigation, and engaged outside forensics. Customers have to re-authorize API access, which is disrupting integrations at schools that built their own tooling on top of Canvas.

The University of Pennsylvania is dealing with this as their second ShinyHunters breach. Penn refused a $1 million ransom in February 2026 after an earlier attack; that refusal led to further data releases. Penn VP Joshua Beeman told the Daily Pennsylvanian that Penn’s “Information Security team is collaborating with the affected vendor, industry professionals, and law enforcement.”

Why education keeps getting hit

The pattern isn’t new, but it’s accelerating. In 2025, education became the most attacked sector globally, averaging 4,388 cyberattacks per school per week. The number of exposed records jumped 27% year-over-year to 3.9 million in confirmed 2025 attacks alone.

Cybersecurity researcher Doug Thompson from Tanium put it bluntly to Inside Higher Ed: “Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.”

That’s the supply-chain play. ShinyHunters doesn’t need to break into Harvard’s network. They break into the vendor Harvard depends on. PowerSchool fell to a ShinyHunters affiliate in December 2024, exposing 62 million student records. McGraw Hill lost 13.5 million accounts in April 2026. Instructure is the latest name on a growing list.

The economics of school cybersecurity make this predictable. Unlike banks or tech companies, school districts don’t have dedicated security teams or the budget to hire them. Average breach cost runs $3.76 million for K-12 and $4.02 million for higher education, but the money to prevent those breaches rarely exists. Anton Dahbura from Johns Hopkins’ Information Security Institute told Inside Higher Ed: “Even organizations that do the right things can still be exposed through trusted vendors.”

ShinyHunters has figured this out. The group has systematically worked through the education vendor supply chain over the past 18 months. PowerSchool fell in December 2024, exposing 62 million student records. Multiple Ivy League schools were hit in November 2025 (1 million+ records). McGraw Hill lost 13.5 million accounts in April 2026. Instructure is the latest name on a list that’s growing faster than the schools can respond. K-12 ransomware attacks outpaced higher-education attacks 3-to-1 in the US in 2025, and the group behind them keeps getting better at picking targets where the payoff is huge and the defenses are thin.

ShinyHunters itself isn’t some shadowy nation-state operation. The group is described as a loose affiliation of teenagers and young adults based in the US and UK, named after shiny Pokemon. Several members have been arrested. French affiliate Sebastien Raoult received three years in prison and $5 million in restitution in January 2024. Matthew Lane, 19, of Massachusetts, pleaded guilty to the PowerSchool hack in June 2025. The arrests haven’t slowed the group down. Their claimed total across all breaches: 1.8 billion records.

The timing couldn’t be worse

The breach hit during finals at universities and end-of-year testing at K-12 schools. Wake County students couldn’t access Canvas through their school portal. Penn students lost access during final exams. Kate Lovette, a sixth-grader in Wake County, told WRAL: “I went onto the WakeID. I’ve looked for the app, and I couldn’t find it.”

Teachers scrambled to deliver instruction without their primary LMS. Wake County’s spokesperson offered: “Our teachers will do what they do every day, continue delivering exceptional instruction.” It’s a nice line. It doesn’t bring back the platform 150,000 students rely on.

What this means for you

If your school uses Canvas, change your password now and turn on multi-factor authentication. The stolen data (names, emails, student IDs, private messages) is prime phishing material. Expect scam emails that reference your actual courses, teacher names, or assignment details. They’ll look real because the underlying data is real.

Parents should consider placing a credit freeze on their child’s credit file. It’s free, it takes about ten minutes per bureau, and it prevents anyone from opening new accounts in your kid’s name. You can do it through Equifax, TransUnion, and Experian even if your child has never had credit. Children’s identity data is particularly valuable to criminals because it can sit unused for years before anyone checks. A stolen student ID and email address from a sixth-grader won’t trigger fraud alerts until that student applies for their first credit card a decade later.

For the broader education sector, the lesson from this breach is depressingly familiar: the vendor you trust is the vendor attackers target. Instructure got breached by the same group using a different attack vector eight months after the first incident. The question isn’t whether your school’s LMS provider has been breached before. It’s whether they’ve actually fixed anything since.