Last week, hackers breached Instructure, the developer of the educational platform Canvas, spoofed login pages, and demanded a ransom. The widespread outage forced educational institutions to postpone exams, and students worldwide lost access to assignments and materials.
The widespread outage of Canvas, the educational platform used by schools, colleges, and universities, affected institutions in the United States and other countries. The attack was caused by the ShinyHunters ransomware group, during which the attackers not only stole data but also spoofed login pages with ransomware.
Instructure representatives reported that the attackers gained access to the infrastructure as early as late April 2026. The company later confirmed that user data, including names, email addresses, course names, enrollment information, and in-platform messages, was stolen during the incident.
According to the hackers themselves, the theft involved approximately 275 million records associated with 8,809 educational institutions. The attack essentially consisted of two phases. First, the attackers compromised Instructure's infrastructure and stole user data, then, on May 7, 2026, they re-infiltrated Canvas and replaced login pages with ransomware. Approximately 330 educational institutions were affected by the second phase of the attack and the spoofed login pages. The hackers' message contained an ultimatum: the attackers gave Instructure representatives and the affected institutions until May 12 to negotiate a ransom. Simultaneously, Canvas began going offline. Worse, the outage coincided with final exams. As a result, the University of Illinois postponed final exams, the University of Massachusetts at Dartmouth moved assignments forward, and the University of Texas at San Antonio postponed exams. Teachers were forced to urgently find workarounds for accepting assignments and assigning grades. As Instructure later explained , the attackers exploited an XSS vulnerability in Free-for-Teacher, a free version of Canvas for individual teachers. By injecting malicious JavaScript, the hackers were able to hijack administrative sessions and perform privileged actions. The company subsequently temporarily disabled Free-for-Teacher and placed Canvas into maintenance mode. Instructure claims that the defacement of the login pages did not result in a new data leak, but the information stolen during the initial hack already included user posts, conversations, and more. ShinyHunters members claimed to have extracted over 3.6 TB of data from the company's systems. Ultimately, the company agreed to a settlement this week.
With the ransomware. Instructure reported reaching a settlement with the attackers, after which they allegedly deleted the stolen data and provided file destruction logs. Furthermore, company representatives assured that individual schools and universities would not have to negotiate with the criminals themselves.
The ShinyHunters hackers did indeed remove the post about the Instructure hack from their website, which typically occurs after the ransom is paid. However, the ransom amount was not disclosed, and security experts remind that even after payment, there is no guarantee that the stolen data will not later appear online or be resold to other criminals.
The widespread outage of Canvas, the educational platform used by schools, colleges, and universities, affected institutions in the United States and other countries. The attack was caused by the ShinyHunters ransomware group, during which the attackers not only stole data but also spoofed login pages with ransomware.
Instructure representatives reported that the attackers gained access to the infrastructure as early as late April 2026. The company later confirmed that user data, including names, email addresses, course names, enrollment information, and in-platform messages, was stolen during the incident.
According to the hackers themselves, the theft involved approximately 275 million records associated with 8,809 educational institutions. The attack essentially consisted of two phases. First, the attackers compromised Instructure's infrastructure and stole user data, then, on May 7, 2026, they re-infiltrated Canvas and replaced login pages with ransomware. Approximately 330 educational institutions were affected by the second phase of the attack and the spoofed login pages. The hackers' message contained an ultimatum: the attackers gave Instructure representatives and the affected institutions until May 12 to negotiate a ransom. Simultaneously, Canvas began going offline. Worse, the outage coincided with final exams. As a result, the University of Illinois postponed final exams, the University of Massachusetts at Dartmouth moved assignments forward, and the University of Texas at San Antonio postponed exams. Teachers were forced to urgently find workarounds for accepting assignments and assigning grades. As Instructure later explained , the attackers exploited an XSS vulnerability in Free-for-Teacher, a free version of Canvas for individual teachers. By injecting malicious JavaScript, the hackers were able to hijack administrative sessions and perform privileged actions. The company subsequently temporarily disabled Free-for-Teacher and placed Canvas into maintenance mode. Instructure claims that the defacement of the login pages did not result in a new data leak, but the information stolen during the initial hack already included user posts, conversations, and more. ShinyHunters members claimed to have extracted over 3.6 TB of data from the company's systems. Ultimately, the company agreed to a settlement this week.
With the ransomware. Instructure reported reaching a settlement with the attackers, after which they allegedly deleted the stolen data and provided file destruction logs. Furthermore, company representatives assured that individual schools and universities would not have to negotiate with the criminals themselves.
The ShinyHunters hackers did indeed remove the post about the Instructure hack from their website, which typically occurs after the ransom is paid. However, the ransom amount was not disclosed, and security experts remind that even after payment, there is no guarantee that the stolen data will not later appear online or be resold to other criminals.