The latest comes after the company that owns Canvas said the learning management system was “fully operational.”
One day after Instructure said it had resolved a data breach to its learning management system, Canvas, the hackers are at it again.
On Thursday, students and faculty who use Canvas for course delivery reported receiving a message from the criminal extortion group ShinyHunters, which earlier this week claimed to have compromised the personal identifying information of 275 million people across 9,000 institutions, including students, teachers and staff.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches,’” read a message multiple Canvas users received when they tried to log in to the platform on Thursday. “If any schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked. Instructure still has until EOD 12 May 2026 to contact us.”
The group had previously given Instructure until Wednesday to pay a ransom, threatening to leak all the data if the company didn’t pay by the deadline. But according to ShinyHunters—which is also linked to recent data breaches at the University of Pennsylvania and Princeton and Harvard Universities—Instructure didn’t respond to those demands in time.
Instead, the company said earlier this week that it had addressed the breach by deploying security measures, including revoking privileged credentials and access tokens associated with affected systems; deploying patches to enhance system security; rotating certain keys, “even though there is no evidence they were misused”; and implementing increased monitoring across all platforms.
Instructure posted Wednesday that “Canvas is fully operational, and we are not seeing any ongoing unauthorized activity.” But by Thursday afternoon, Instructure acknowledged there was trouble again: “Canvas, Canvas Beta and Canvas Test are currently unavailable,” read a status update. “We are currently investigating this issue.”
It’s not clear if Instructure plans to pay the ransom by the May 12 deadline, but ShinyHunters criticized Instructure’s lack of communication to date.
“Instructure has not even bothered speaking to us to understand the situation or to even negotiate with us to prevent the release of this data. Our demand was not even as high as you might think it is,” reads one version of the cybergang’s ransom letter posted on RansomLook, a website that tracks cybercrime activity. “The Company seemingly does not care about all the students affected and the institutions impacted by this data breach.”
Instructure said earlier this week that the leaked information includes names, email addresses, student ID numbers and user messages, but that it has so far “found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
