Canvas Breach 2026: ShinyHunters Hit Instructure Twice, Exposing 275 Million Users Before Finals Week

On May 3, 2026, the ShinyHunters extortion group claimed responsibility for breaching Instructure, the parent company of Canvas — the learning management system used by 41 percent of higher education institutions in North America. The group claimed theft of 275 million user records and 3.65 terabytes of data spanning 8,809 schools, universities, and education platforms. On May 7, after Instructure publicly stated the incident was “resolved,” ShinyHunters re-compromised Canvas, redirecting university Canvas pages — including Harvard's, Penn's, Duke's, and the University of Wisconsin's — to a new ransom message setting a May 12 deadline. Forty minutes later, Instructure replaced the active ransom message with a fake “Canvas is currently undergoing scheduled maintenance” page during finals week. The status page would not be quietly updated to acknowledge the incident until twenty-one minutes after that.

ShinyHunters listed Instructure on its dark web leak site on May 3, 2026, claiming 275 million records spanning nearly 9,000 schools and 3.65 TB of uncompressed data — including names, email addresses, student IDs, course enrollments, and what the group described as "several billions of private messages" between students, teachers, and staff. Instructure publicly confirmed the cybersecurity incident on May 4 and stated there was "no evidence" that passwords, dates of birth, government identifiers, or financial information were exposed. On May 5, ShinyHunters published a list of 8,809 affected institutions including all eight Ivy League universities; the University of Pennsylvania alone confirmed approximately 306,000 affected affiliates, with TechCrunch independently verifying sample data from a Tennessee and a Massachusetts university. On May 6, Instructure publicly stated the security incident was "resolved with Canvas fully operational and no indication of ongoing unauthorized activity." On May 7 at approximately 3:30 PM Eastern, ShinyHunters re-compromised Canvas — redirecting university Canvas pages including Harvard's, Penn's, Duke's, and Wisconsin's to a new ransom message setting a May 12 deadline. At 4:20 PM Eastern, Instructure replaced the active ransom display with a Canvas-branded page reading "Canvas is currently undergoing scheduled maintenance. Check back soon." The status page would not acknowledge the incident publicly until 4:41 PM, twenty-one minutes after the maintenance cover went up. Canvas access was disrupted at multiple major universities during finals week.

ShinyHunters has not publicly disclosed the specific entry point, but the group's operational pattern across recent campaigns — Snowflake in 2024, Adobe in April 2026, Carnival, ADT, Rockstar Games — has consistently relied on stolen credentials, misconfigured SaaS permissions, vishing calls, and supply chain compromises rather than malware or zero-day exploits. Instructure has separately alleged that its Salesforce instance was also breached in the same campaign, suggesting a multi-system compromise consistent with the group's federated SaaS attack pattern. The fact that ShinyHunters claims to have re-compromised Canvas on May 7 — after Instructure announced "security patches" in response to the May 3 breach — suggests either a persistent backdoor, additional unrotated credentials elsewhere in the environment, or a structural flaw the patch deployment did not address. ShinyHunters had previously compromised University of Pennsylvania data through a Canvas/Instructure access path in September 2025, making this the third Instructure-related compromise in eight months and confirming that the May 7 events were not an isolated incident but the continuation of a campaign Instructure had repeated opportunities to disrupt. Final attribution will require Instructure's full incident response disclosure, which is typically published 30 to 90 days after initial confirmation.

For PE sponsors with portfolio companies in education technology, K-12 services, online learning, or any sector with concentrated SaaS dependency, the Canvas breach has direct and immediate implications. Any portfolio company that relies on Canvas, Instructure, or comparable single-vendor SaaS for critical operational workflows now has an exposure question that needs answering this quarter — not at next renewal. The pattern also matters: this is the third Instructure-related ShinyHunters compromise in eight months, not the first or second. Pre-acquisition cyber due diligence must extend beyond the target company's own infrastructure to the third-party SaaS stack the target depends on, the historical pattern of incidents at those vendors, AND the vendor's communications posture during active incidents. A vendor that runs "scheduled maintenance" cover during a confirmed criminal extortion event is a vendor whose disclosure obligations to portfolio companies cannot be relied on without independent validation. Post-close, vendor-risk programs need real budget, real authority, and the ability to require alternate vendors when concentration risk crosses defined thresholds. The Canvas breach is the case study every PE operating partner will be asked about by an LP this quarter.