Instructure’s Canvas learning platform went offline Thursday after the company confirmed a breach that exposed student names, email addresses, ID numbers and private messages. Users who tried to log in were greeted by a note from the hacking collective ShinyHunters, which claimed responsibility and warned of a public dump unless a settlement is paid. The message also demanded contact through a private TOX channel for negotiations.

The group posted a link to a list of targeted schools and set a deadline of 12 May 2026 to avoid exposure. Their leak site allegedly contains data from roughly 9,000 institutions, covering 275 million students, teachers and staff. Experts warn credentials may surface on dark‑web markets. Instructure said it had already deployed patches to harden Canvas, Canvas Beta and Canvas Test while investigators assess the outage.

ShinyHunters has a record of high‑profile attacks on Ticketmaster, AT&T, Rockstar Games, ADT and Vercel, suggesting they possess the tools to pivot from a single LMS breach to a broader education‑sector campaign. Schools still dependent on Canvas now face forced negotiations and potential data leaks, forcing administrators to audit access controls and consider alternative platforms.