Crime
A hacking group that claimed responsibility for attacking Canvas’s parent company said it had gained access to data from more than 275 million people across 9,000 schools.
Harvard is one of the schools that experienced Canvas outages on Thursday. Sophie Park/The New York Times
May 7, 2026
2 minutes to read
Canvas, a platform used by more than 8,000 universities and K-12 schools for course websites, assignments and communication, was shut down for several hours Thursday. A hacking group claimed responsibility for a data breach affecting the company that owns the platform, jeopardizing the personal data of millions of students and teachers.
Several prominent universities, including the University of Michigan and Harvard University, alerted students Thursday that Canvas was unavailable. Across the country, students have been preparing for, or are already taking, their final exams.
Instructure, which provides its Canvas software to about half of all colleges and universities in North America, said the software was under maintenance, and anticipated “being up soon” in an alert posted on its website Thursday evening. The company earlier said it was investigating why the software was unavailable.
Instructure did not immediately respond to a request for comment.
ShinyHunters, the hacking group that claimed responsibility for the Instructure data breach, said it had accessed data from more than 275 million people across nearly 9,000 schools, according to a ransom letter shared May 3 by Ransomware.live, which monitors ransomware groups.
An email shared with students at Barnard College in New York said the outage had appeared to be “the result of a previous cyberattack on Instructure.”
Instructure disclosed May 1 that it had experienced a “cybersecurity incident perpetrated by a criminal threat actor.” Steve Proud, Instructure’s chief information security officer, said the company had enlisted forensics experts to minimize the impact of the breach.
In an update shared the next day, Proud said the compromised information included personal identifying information such as names, email addresses, student ID numbers and Canvas messages.
The company did not find evidence that passwords, birthdays, government identifiers or financial information had been breached, he said. The breach was “contained” as of May 2, Proud added.
“Canvas is fully operational, and we are not seeing any ongoing unauthorized activity,” the company said on its website Wednesday.
ShinyHunters, which is believed to have been formed around 2020, claimed responsibility for the breach Thursday in a message that appeared on students’ Canvas pages and was obtained by The New York Times.
The group said it had breached Instructure “again” after the company failed to contact it to resolve its security issue. Instead, the group claimed that Instructure “ignored us and did some ‘security patches.’”
ShinyHunters said in its message that it would leak an unspecified amount of data May 12 if it didn’t hear from Instructure. In its May 3 ransom note, the group threatened to leak “several billions of private messages among students and teachers.”
The group also encouraged affected schools, which include Duke University and the University of Maryland, to consult with cybersecurity experts and reach out “to negotiate a settlement.”
Some students later saw ShinyHunters’ message change to an alert saying Canvas was “currently undergoing scheduled maintenance.” The outage appeared to be active as of 8 p.m.
Not much is known about ShinyHunters, but its goal appears to be to obtain personal records and sell them. The hacking group has previously targeted Ticketmaster, Microsoft, AT&T and dozens of other companies in the United States and elsewhere.
The group has also recently taken aim at education companies, including Infinite Campus, a K-12 student information system, and McGraw Hill, a prominent textbook publisher.
This article originally appeared in The New York Times.
Sign up for the Today newsletter
Get everything you need to know to start your day, delivered right to your inbox every morning.
