Canvas Back Up After ShinyHunters Ransomware Attack Hits 9,000 Schools Worldwide
Canvas is back online as of Friday, May 8, 2026, following one of the most disruptive cyberattacks ever to target American education. Hacking group ShinyHunters broke into Instructure — the parent company of Canvas LMS — stealing data tied to an estimated 275 million users and replacing the platform's login page with a ransom demand. The attack struck at the worst possible moment: finals week.
Is Canvas Back Up? — Here Is the Current Status
Instructure said Friday morning that Canvas was "fully back online and available for use." Multiple universities and school districts throughout the country reported their Canvas pages were back up and running on Friday, though some schools had already extended deadlines and changed finals schedules because of the hack.
Instructure confirmed the unauthorized actor exploited an issue related to its Free-For-Teacher accounts and has made the decision to temporarily shut those accounts down. The company said it notified law enforcement, including the FBI and the US Cybersecurity and Infrastructure Security Agency.
Who Hacked Canvas? — ShinyHunters and the Ransomware Attack
On May 7, 2026, Canvas was hacked, with its login page replaced by a message from ShinyHunters, a criminal hacking group. ShinyHunters claimed responsibility for breaching Instructure and Canvas, threatening to release sensitive data unless ransom demands are fulfilled by May 12, 2026.
ShinyHunters claimed in a ransom note shared on May 3 that it had breached 275 million individuals' data and had access to "several billions of private messages," giving an initial May 6 deadline for Instructure to reach out. In a follow-up note, the hacking group gave a May 12 deadline for impacted schools "to negotiate a settlement."
ShinyHunters claim they stole 3.65 terabytes of data. Alongside the Canvas attack, the same group also breached video-hosting platform Vimeo through a supply chain attack, accessing approximately 119,000 accounts via a third-party partner company called Anodot.
Canvas Ransomware Attack — How It Started
Instructure said it first detected unauthorized activity in Canvas on April 29. On May 7, it found more unauthorized activity tied to the same April 29 incident, at which point someone changed the pages that appeared when students and teachers logged in. Instructure took Canvas offline to investigate and contain the activity.
The ransom note that appeared on Canvas read: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches.'" The warning set a deadline for "the end of the day by May 12, 2026" before "everything is leaked."
Schools Affected by the Canvas Hack — Who Is on the List
ShinyHunters shared a list of 8,809 school districts, universities, and online education platforms whose Canvas instances they claim were impacted, with per-institution record counts ranging from tens of thousands to several million. Educational institutions in the United States, United Kingdom, New Zealand, Australia, Sweden, and the Netherlands reported disruptions or potential exposure of user information.
ShinyHunters previously published a list of nearly 9,000 affected institutions, including all eight Ivy League universities. The University of Pennsylvania alone reported over 306,000 affiliates affected, with exposed data including emails, names, Penn ID numbers, and course enrollments.
Notable confirmed affected institutions include:
| Institution / District | Status |
|---|---|
| Liberty University | Finals rescheduled, extensions provided |
| University of Virginia | Disrupted |
| University of Pennsylvania | 306,000+ users affected |
| Virginia Tech | Statement issued, finals impacted |
| Wake County Public Schools (NC) | Canvas access removed |
| Durham Public Schools (NC) | Potential data access confirmed |
| Anne Arundel County Public Schools (MD) | Shut down Canvas access |
| Virginia Western Community College | Disrupted |
| All 8 Ivy League Universities | Listed in ShinyHunters breach data |
Liberty University Canvas — What Happened on Campus
Liberty University issued a campus-wide notification stating it was aware of the ongoing Canvas situation affecting Liberty and many other schools. The university confirmed that "appropriate class extensions will be provided" and warned students that if they encountered a prompt within Canvas asking them to re-enter their Liberty username or password, they should not provide that information.
Finals scheduled on Friday, May 8, at Liberty were rescheduled for Sunday, May 10, at the same times and locations as originally planned. The university acknowledged the change would create challenges and asked for understanding and flexibility from the campus community.
Canvas Data Breach — What Information Was Stolen
Instructure said the information involved in the incident appeared to include names, email addresses, student ID numbers, and messages among users. The company stated it had not found evidence that passwords, dates of birth, government identifiers, or financial information were involved.
The risk for students and faculty impacted, according to a retired FBI special agent, is that they could be victims not only today but years later. "You need to follow up, because they have this information on these students now and a couple of years from now, they may use some of that information to attack them."
ShinyHunters — Who Are the Canvas Hackers
Little is publicly known about the hacking group, but cybersecurity researchers and federal authorities have linked the ShinyHunters name to several high-profile data theft incidents. The group previously claimed responsibility for hacking Ticketmaster and attempting to sell user data on the dark web in 2024. In 2024, the US Department of Justice announced the sentencing of a member tied to the ShinyHunters name after that individual posted stolen data from more than 60 companies on dark web forums.
Mandiant CTO Charles Carmakal said "there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now," signaling the Canvas attack is part of a much broader and ongoing criminal operation.
What Is a Data Breach — And What Should Students Do Now
A data breach occurs when an unauthorized party gains access to private or sensitive information stored by a company or institution. In the Canvas ransomware attack, the exposed data includes student names, email addresses, ID numbers, and private messages — enough for targeted phishing attacks or identity theft schemes years into the future.
If your child was affected by the Instructure breach, change their Canvas password immediately, especially if your school allows login with a username and password rather than single sign-on. If your child reuses passwords across platforms — for Canvas, email, and gaming accounts — change those other passwords as well and give every account its own strong, unique password.
The May 12 ransom deadline set by ShinyHunters remains active, and millions of students, parents, and faculty members are watching to see whether Instructure or any affected institution will negotiate — or let the clock run out.
