The extortion group ShinyHunters defaced Canvas login pages at universities across North America on Thursday, opening what appears to be a second wave of pressure against learning-platform parent Instructure ahead of a May 12 leak deadline.
By Friday, the group’s claimed haul stood at 275 million records and 3.65 terabytes pulled from about 9,000 schools across North America, Europe, and parts of Asia and Oceania, with named exposure at Harvard, MIT, Oxford, Stanford, Cambridge, Duke, Rutgers, the University of Pennsylvania, Penn State, and the University of California, Berkeley. All user and institution counts in this article reflect ShinyHunters’ claims and may change as Instructure’s investigation continues.
Canvas serves about 41 percent of North American higher-education institutions by institution count and about half of total enrollment, according to year-end 2024 LMS market data compiled by industry analysts at OneEdTech, making vendor concentration a structural feature of the affected sector.
How the Second Wave Unfolded
Instructure detected unauthorized activity in Canvas on April 29 and revoked the intruder’s access the same day, the Salt Lake City-based company said in a May 1 statement attributed to Chief Information Security Officer Steve Proud. Outside forensic experts were engaged that day, and law enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, were notified.
ShinyHunters first publicly claimed responsibility on May 3 and set an initial deadline of May 6. When that deadline passed without payment, the group exploited an issue tied to Instructure’s Free-For-Teacher accounts and altered the login pages presented to some students and teachers, the company said in subsequent updates to its public incident page. The defaced pages directed institutions to contact ShinyHunters directly to forestall a leak, with the new deadline set for the end of day on May 12.
What was Taken β and What was Not
Based on the investigation to date, the data taken includes names, email addresses, student ID numbers, and messages exchanged among users, Proud said. The company said that, as of its investigation to date, it has found no indication that passwords, dates of birth, government identifiers, or financial information were compromised. ShinyHunters has separately claimed that the haul covers students, teachers, and staff at about 9,000 schools and 15,000 institutions, including 44 Dutch institutions among the named victims, based on an institution list the group published; those figures have not been independently verified.
Duke Chief Information Security Officer Nick Tripp told WRAL News the university is monitoring the situation and that Instructure has informed Duke that no passwords, dates of birth, government identifiers, or financial information appear to have been involved. Tripp said Duke would continue to assess the impact as Instructure’s investigation progresses. Instructure has not publicly disclosed whether it has engaged in any negotiation with ShinyHunters; the company’s incident notices have focused on detection, containment, and law-enforcement coordination rather than commercial response.
The episode is the second Canvas-linked compromise associated with Instructure since a 2025 third-party Salesforce campaign, according to industry coverage from Inside Higher Ed and the security research firm Rescana. That recurrence pattern matters for risk programs because it shifts the question from whether something like this could happen to what changed since the last time it did β a framing that boards, regulators, and plaintiffs will pose in the coming weeks.
Instructure has not publicly disclosed the original intrusion vector or any ransom terms, and none of the sources reviewed for this article independently verify the attackers’ volume and institution-count claims.
FERPA, State Statutes, and the School-Official Exception
Federal law and many state statutes generally leave schools responsible for student-record and community notification decisions, while vendor-specific statutes and contracts may impose separate duties on Instructure. Under the Family Educational Rights and Privacy Act (FERPA), Instructure operates as a school official with conditional access to student records. That conditional status hinges on the vendor maintaining adequate security and supplying timely, accurate incident information to the institution β both of which become litigation arguments the day a breach is disclosed.
FERPA contains no fixed notification timeline, but state statutes do. New York Education Law 2-d, California’s Student Online Personal Information Protection Act, and over 100 similar state student-privacy laws across most U.S. states, depending on counting methodology, impose vendor-specific duties separate from FERPA, with timelines and content requirements that vary by state. For non-U.S. campuses caught in the data set β including the United Kingdom, the Netherlands, and other European Union jurisdictions β the European General Data Protection Regulation (GDPR) imposes a 72-hour supervisory-authority notification window from awareness, with separate data-subject notice obligations where high risk is established.
K-12 districts on the affected list face a parallel set of obligations distinct from those in higher education. The Federal Trade Commission’s amended Children’s Online Privacy Protection Act (COPPA) Rule, with an April 22, 2026, compliance date for most provisions, heightens obligations around consent, data minimization, retention, and security for operators collecting personal information from children under 13, and most state K-12 statutes apply tighter timelines and parent-notification mechanics that college and university counsel do not face. Districts using Canvas alongside other ed-tech platforms also face overlapping vendor-risk questions where a single dataset crosses multiple processors.
Privacy counsel should pressure-test three items this week: the contractual data-processing addendum with Instructure and what it requires the vendor to deliver during a confirmed incident; the state-by-state notification matrix for affected campuses and districts; and the data-subject communication plan for any EU campus, where the calendar starts from awareness rather than confirmation.
Class Actions Arrive within Days
Plaintiffs’ firms moved quickly. ClassAction.org, a plaintiff-side legal services and lead-generation site, confirmed an active investigation on May 7, and the plaintiffs’ firm, Chimicles Schwartz Kriner & Donaldson-Smith, opened a parallel inquiry the same day. Historical breach-litigation patterns suggest filings are likely to compound over the next 30 to 60 days as institutions are publicly tied to the data set and as state attorneys general open inquiries. Litigation holds β already standard practice for any institution with anticipated dispute exposure β should now treat Canvas-stored content as a discoverable category, including coursework, faculty-student messaging, and student-conduct records.
Rob D’Ovidio, an associate professor in Drexel University’s Department of Criminology, told reporters the sector-wide nature of the compromise distinguishes it from prior single-institution incidents because the affected vendor reaches close to a majority of education institutions in the country, raising the prospect of highly tailored phishing follow-on activity against students and staff whose names, email addresses, and institutional identifiers are now in adversary inventory.
eDiscovery, Chain of Custody, and Canvas-stored Evidence
For institutions with active or reasonably anticipated litigation, the breach is a chain-of-custody event before it is anything else. Canvas content used in academic-integrity proceedings, employment matters, Title IX cases, and faculty-conduct disputes now has a custody history that includes an unknown adversary copy. Counsel and eDiscovery teams should document the breach-aware preservation posture this week, contact Instructure or institutional IT for a written preservation status confirmation, revisit the collection scope on existing matters where Canvas was a custodial source, and decide whether to flag the third-party copy in any forthcoming meet-and-confer. Spoliation arguments are unlikely to land where the institution acted reasonably; the discipline is in showing the court and case file how the institution acted.
Vendor as Victim, Once Again
The Instructure incident extends a pattern that, in many of the past year’s headline breaches, has effectively made the vendor the breach target and the customer the data subject. ShinyHunters has been tied to mass-extraction campaigns against Snowflake-related customers, Salesforce instances, and Mixpanel analytics, with consistent extortion mechanics β exfiltration, public claim, deadline pressure, and a second wave when the first deadline passes. The May 7 login-page defacement is a tactic refresh; the underlying playbook is unchanged.
Information-security teams in higher education and K-12 should treat the Canvas event as a vendor-tier exercise. Map every learning, identity, and assessment system that touches student records; obtain written confirmation of incident-handling protocols from each one; and rehearse the regulator and counsel cadence required when a vendor β not the institution β is the entry point.
Watch List for the Coming Week
The May 12 deadline will tell whether ShinyHunters proceeds to leak or extends. Either outcome creates downstream work. A leak forces immediate state-level notification calculus and accelerates plaintiffs’ filings; an extension prolongs uncertainty for institutions under existing litigation holds. Boards and audit committees should expect to see the Canvas event on the next risk-management agenda, and eDiscovery teams should expect to be asked whether Canvas data β now in unknown adversary hands β is implicated in any active or reasonably anticipated dispute.
If a vendor breach can put coursework, conduct records, and intra-platform messages into adversary inventory across thousands of schools in a single weekend, what does that mean for the next learning, identity, or content vendor on the procurement list β and how should counsel and security teams reset their assumptions before the next deadline arrives?
News sources
- Hackers deface school login pages after claiming another Instructure hack (TechCrunch)
- Canvas login portals hacked in mass ShinyHunters extortion campaign (BleepingComputer)
- Developing: ShinyHunters Hacks Instructure Again; Canvas Down (DataBreaches.net)
- ShinyHunters Breached Instructure: 275 Million Students, Teachers and Staff Potentially Exposed (SOCRadar)
- Canvas Breach May Put 275M Users, 9,000 Schools at Risk (TechRepublic)
- Hackers Target Canvas β Again (Inside Higher Ed)
- Millions of students’ personal data stolen in major education breach (Malwarebytes)
- Duke among 9,000 schools affected by Canvas cyberattack (The Duke Chronicle)
- Instructure Data Breach Confirmed, Attorneys Investigating (ClassAction.org)
- Security Incident Update & FAQs (Instructure)
Additional references
- Family Educational Rights and Privacy Act (20 U.S.C. Β§ 1232g) (Cornell Legal Information Institute)
- FERPA School-Official Exception (34 C.F.R. Β§ 99.31) (eCFR)
- GDPR Article 33 β Notification of a Personal Data Breach to the Supervisory Authority (GDPR-Info)
- GDPR Article 34 β Communication of a Personal Data Breach to the Data Subject (GDPR-Info)
- FTC Final Rule β Children’s Online Privacy Protection Rule Amendments (Federal Register, April 22, 2025) (Federal Register)
- State of Higher Ed LMS Market for US and Canada: Year-End 2024 Edition (OneEdTech/Phil Hill)
Assisted by GAI and LLM technologies
Source: HaystackID published with permission from ComplexDiscovery OΓ
