Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak

One of the largest cybersecurity incidents to impact the education sector came to light in May 2026 after learning platform Canvas LMS confirmed that it had suffered a significant data breach. According to Instructure, the company behind Canvas, unauthorized access to its systems occurred on April 25. The intrusion was detected several days later, and the company publicly disclosed the incident on May 1 after taking steps to contain the threat. The attack was later linked to the ShinyHunters cybercrime group, which claimed responsibility for stealing approximately 3.65 terabytes of data. Reports suggest that nearly 275 million records were compromised, affecting around 9,000 educational institutions worldwide. The stolen information reportedly included usernames, email addresses, course details, enrollment records, and internal messages exchanged through the platform.
The incident quickly escalated when Canvas login pages were briefly defaced with a message from the attackers, accusing the company of ignoring their demands. The group also threatened to release the stolen data unless an agreement was reached.
Several well-known universities, including Harvard, Stanford, Columbia, and Georgetown, were reportedly among the institutions affected by the breach. During the investigation, portions of the Canvas service were temporarily placed into maintenance mode to limit further risk. On May 11, Instructure issued a public apology regarding its handling of the incident and acknowledged concerns raised by customers about communication during the response process. The company later stated that it had reached an agreement with the threat actors and believed the stolen data had been destroyed. However, reports of a possible ransom payment have not been independently confirmed. With an estimated 275 million records exposed and thousands of schools impacted, the Canvas incident is being viewed as one of the most significant education-sector cyber breaches ever recorded. The attack serves as another reminder of the growing cybersecurity challenges facing schools, universities, and online learning platforms around the world.