The latest comes after the company that owns Canvas said the learning management system is “fully operational.”
A day after Instructure said it had resolved a data breach in its learning management system, Canvas, the hackers are at it again.
On Thursday, students and teachers using Canvas for course delivery reported receiving a message from the hacking group ShinyHunters, which earlier this week said it had compromised the personal information of 275 million people at 9,000 institutions, including students, teachers and staff.
“ShinyHunters broke Instructure (again). Instead of contacting us to resolve it they ignored us and made ‘security patches,'” read a message received by many Canvas users when they tried to log into the forum on Thursday. “If any of the schools on the affected list are interested in preventing the release of their data, please contact an online advisory firm and contact us privately at TOX to discuss a solution. You have until the end of the day on 12 May 2026 before everything is leaked. The Instruction still has until EOD 12 May 2026 to contact us.”
Earlier, the group had given Instructure until Wednesday to pay the ransom, threatening to leak all information if the company did not pay by the deadline. But according to ShinyHunters—which has also been linked to recent data breaches at the University of Pennsylvania and Princeton and Harvard Universities—Instructure did not respond to those demands in time.
Instead, the company said earlier this week that it responded to the breach by deploying security measures, including revocation of privileged information and access tokens associated with affected systems; issuing patches to improve system security; rotating certain keys, “although there is no evidence that they have been misused”; and implementing increased monitoring across platforms.
Instructure posted on Wednesday that “Canvas is fully functional, and we are not seeing any unauthorized activity going on.” But on Thursday afternoon, Instructure admitted there was a problem again: “Canvas, Canvas Beta and Canvas Test are currently unavailable,” read a status update. “We are currently investigating this matter.”
It is unclear whether Instructure plans to pay the ransom by the May 12 deadline, but ShinyHunters has criticized Instructure’s lack of communication so far.
“Academics did not even bother to talk to us to understand the situation or even to negotiate with us to prevent the release of this data. Our demand was not as high as you might think it is,” reads one version of the gang’s ransom note posted on RansomLook, a website that tracks computer crime. “The company does not seem to care about all the affected students and institutions affected by this data breach.”
Instructure said earlier this week that the leaked data included names, email addresses, student ID numbers and user messages, but so far it has “found no evidence that passwords, birthdays, government identifiers, or financial information were involved.”
