‘Pay or Leak’: How ShinyHunters hacked into Instructure’s Canvas platform leaving universities across US clueless
A major cyber attack by ShinyHunters has crippled Instructure Canvas, the learning platform used by several universities including Harvard and Stanford. Thousands of students and institutions are affected across the United States. The hackers clai...
By Divyadeep Singh, Global Desk | Updated:
Reuters
Instructure Canvas Cyber Hack: A massive cyber hack on Thursday (May 8, 2026) left universities including Harvard, Stanford and thousands of other institutions scrambling as the widespread outage, following an earlier data breach, blocked access to the Canvas learning platform. The cyber attack was claimed by ShinyHunters, a well-known cyber extortion group active since at least 2019,
According to the Harvard Crimson student newspaper and posts on social media, students attempting to access the system on Thursday saw a message from the hacking group saying servers belonging to Canvas's parent company Instructure had "again" been breached. The group warned it would release all stolen data if schools did not make contact by May 12, 2026, news agency AFP reported.
The message included a link to a list of schools ShinyHunters claims to have breached through Canvas. Instructure said the stolen data in the original breach included personal details such as names, email addresses and student ID numbers, along with private messages exchanged between users.
It remains unclear exactly how ShinyHunters breached Instructure, but late last week, Canvas users began reporting disruptions involving their authentication keys, according to news platform Inside Higher Ed. Shortly afterward, Instructure was contacted by ShinyHunters regarding the incident: “PAY OR LEAK.”
"Instead of contacting us to resolve it they ignored us and did some 'security patches,'" the hackers said. "If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately...to negotiate a settlement." The group warned it would release all stolen data if schools did not make contact by May 12.
If Instructure didn’t pay up, it could anticipate a leak of “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information],” ShinyHunters wrote in a ransom letter published May 3 by the website Ransomware.live, which tracks and monitors ransomware groups’ victims and their activity.
The hackers told Instructure “to reach out by 6 May 2026 before we leak along with several annoying [digital] problems that’ll come your way,” warning the company to “make the right decision” to avoid becoming “the next headline.”
ALSO READ: Canvas Hack: Why are students grateful and happy as massive outage leaves universities across US stranded?
According to the Harvard Crimson student newspaper and posts on social media, students attempting to access the system on Thursday saw a message from the hacking group saying servers belonging to Canvas's parent company Instructure had "again" been breached. The group warned it would release all stolen data if schools did not make contact by May 12, 2026, news agency AFP reported.
The message included a link to a list of schools ShinyHunters claims to have breached through Canvas. Instructure said the stolen data in the original breach included personal details such as names, email addresses and student ID numbers, along with private messages exchanged between users.
How ShinyHunters hacked into Instructure
It remains unclear exactly how ShinyHunters breached Instructure, but late last week, Canvas users began reporting disruptions involving their authentication keys, according to news platform Inside Higher Ed. Shortly afterward, Instructure was contacted by ShinyHunters regarding the incident: “PAY OR LEAK.”
"Instead of contacting us to resolve it they ignored us and did some 'security patches,'" the hackers said. "If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately...to negotiate a settlement." The group warned it would release all stolen data if schools did not make contact by May 12.
ADVERTISEMENT
ShinyHunters issues stark warning to Instructure
If Instructure didn’t pay up, it could anticipate a leak of “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information],” ShinyHunters wrote in a ransom letter published May 3 by the website Ransomware.live, which tracks and monitors ransomware groups’ victims and their activity.
The hackers told Instructure “to reach out by 6 May 2026 before we leak along with several annoying [digital] problems that’ll come your way,” warning the company to “make the right decision” to avoid becoming “the next headline.”
ALSO READ: Canvas Hack: Why are students grateful and happy as massive outage leaves universities across US stranded?
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
ADVERTISEMENT
