AN ongoing data extortion attack against the Canvas platform disrupted classes across the United States on 7 May 2026, after a cybercrime group defaced the login page with a ransom demand. The extortion message claimed data from 275 million students and faculty across nearly 9,000 educational institutions could be leaked unless paid, and a ransom deadline was initially set for 6 May before being pushed to 12 May.
Instructure, the Canvas parent firm, disabled the platform in response to the defacements, and stated that the stolen information includes user names, email addresses, and student ID numbers, as well as messages among users, while noting there was no evidence of passwords, dates of birth, government identifiers or financial information. By mid-day on 7 May, many students and staff reported the ransom demand replacing the usual login page, prompting Instructure to replace the portal with a maintenance message.
The security firm Cloudskope described the incident as at least the third breach linked to ShinyHunters within eight months, with experts noting multiple concurrent ShinyHunters intrusion and extortion campaigns, according to Instructure. According to Instructure.