Canvas returns online after global data breach and ransom demand
Updated
Updated · WRAL News · May 7
Canvas returns online after global data breach and ransom demand
19 articles · Updated · WRAL News · May 7
Wake and Durham counties said student and teacher data was accessed, while UNC-Chapel Hill users lost access on the last day of final exams.
Canvas parent Instructure said hackers obtained names, email addresses, student IDs and messages; the platform entered maintenance mode on Thursday and was restored for most users that night.
The breach was first detected on 29 April, and ShinyHunters claimed responsibility. Universities have rescheduled exams and urged faculty to download grades and assignments in case of further outages.
After a second massive data breach, can the company behind Canvas be trusted with student data again?
As hackers demand a settlement, should universities pay ransoms or risk leaking student data?
Global Education Sector Hit by Instructure Canvas Breach Affecting 275 Million Users
Overview
In May 2026, the criminal group ShinyHunters breached Instructure by exploiting a Salesforce misconfiguration, gaining access to data from 275 million users across 9,000 educational institutions. They exfiltrated 3.65 terabytes of sensitive information, including names, emails, student IDs, and private messages, then defaced the Canvas login page with an extortion message setting a ransom deadline. Instructure responded by revoking credentials, rotating API keys, deploying patches, and refusing to pay the ransom while investigating the breach. The exposed data increased risks of targeted phishing, identity fraud, and psychological harm, prompting institutions to enhance monitoring and users to adopt stronger security practices. This breach, alongside a related Vimeo compromise via a third-party vendor, highlights critical vulnerabilities in third-party integrations and the urgent need for robust supply chain risk management in education technology.