In a shocking revelation, the widely-used learning management platform, Canvas, operated by Instructure, is currently offline due to a significant data breach that has put the personal information of millions at risk. On Thursday, students attempting to log into the site were greeted not only by disruption but also by a threatening message from the notorious hacking group, ShinyHunters.
ShinyHunters boasted responsibility for the breach, stating, "ShinyHunters has breached Instructure (again)". The hacker group has a history of high-profile cyberattacks on companies like Ticketmaster and AT&T, and it claims to have acquired sensitive information, including names, email addresses, student ID numbers, and private messages. The hackers warned that if educational institutions fail to contact them by May 12, 2026, they would publish the data online.
"Instead of contacting us to resolve it, they ignored us and did some ‘security patches.’ If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement," the message read.
According to reports from Bleeping Computer, ShinyHunters asserts that its data leak site contains information from over 9,000 schools, affecting approximately 275 million students, teachers, and staff members. This alarming statistic raises serious concerns about the ongoing vulnerabilities in educational technology systems, particularly regarding data security.
Instructure has responded to the breach by placing Canvas and its related platforms in maintenance mode. A message on their status page indicates that they are working to restore services but has not provided a specific timeline for when Canvas will be back online: "We anticipate being up soon and will provide updates as soon as possible."
Following the breach, Instructure stated it had implemented security patches to enhance system integrity, but the seriousness of the attack has left students and educators in a state of uncertainty as they face potential disruptions in their academic routines and concerns for personal data safety. 
As the deadline looms for institutions to negotiate with ShinyHunters, the educational community watches closely, hoping for a swift resolution and effective measures to protect against such incidents in the future.
Source: The Verge
