Some schools and universities globally, whose student data was compromised in an April cyberattack on the educational tool Canvas, reportedly sought direct negotiations with the hacking group ShinyHunters to prevent data release. ShinyHunters, a notorious group known for data theft and extortion, claimed on May 3 to have stolen approximately 6.65 terabytes of Canvas data impacting nearly 9,000 schools worldwide. The data reportedly included student names, email addresses, and private messages between users.
Instructure, the parent company of Canvas, announced on May 1 that it was investigating a cybersecurity incident. Canvas is a widely used educational platform that facilitates class assignments, information sharing, and communication between students and school faculty, serving approximately 30 million active users from kindergarten through college age. Instructure’s Chief Information Security Officer confirmed on May 2 that user names, email addresses, student IDs, and messages were involved.
ShinyHunters publicly stated on May 5 that Instructure had not engaged in dialogue regarding their demands, which they described as not “even as high as you might think it is.” They then listed around 1,400 affected schools, inviting direct negotiation. Students reported widespread disruption as they prepared for end-of-year tasks, with some encountering a hacker’s note upon login. Instructure temporarily took Canvas offline but restored access within four hours on May 7, confirming hackers made changes to pages that appeared for some users. The company attributed the vulnerability to its Free-for-Teacher service, which has since been temporarily shut down, giving them confidence to fully restore Canvas.
As of May 7, ShinyHunters removed their messages concerning the incident from their website, stating they had “no further comment.” This action can sometimes indicate negotiations or payment. Meanwhile, districts like Montgomery County Public Schools advised caution, restricting access until all services are confirmed safe. Canvas Beta and Canvas Test remain in maintenance mode, highlighting ongoing security checks following the breach.
