Hackers Steal 5TB of Student Data from Canvas, Disrupt Exams

Instructure, the parent company of Canvas, reached an agreement with the unauthorized actor behind a major cyber incident affecting its education platform. As part of the deal the stolen data was returned to Instructure, which also received digital confirmation of data destruction from the hackers in the form of shred logs.

The company was informed that no Instructure customers would be extorted as a result of the incident.

The agreement covers all affected Instructure customers and there is no need for individuals to engage with the hackers. Instructure's primary motivation was protecting students' and education staff data. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said.

The breach was discovered on 29 April 2026. 5 terabytes of student and university data. Shiny Hunters claimed responsibility for the breach and threatened to publish the stolen data unless a ransom was paid in bitcoin.

The initial ransom deadline set by Shiny Hunters was 6 May 2026. The group later extended the deadline. The breach began unfolding on Thursday 7 May 2026 or the days immediately prior, even though it had been discovered earlier.

A ransom note demanding payment in bitcoin appeared on screens during exams on the Canvas platform. Aubrey Palmer, a meteorology student at Mississippi State University, and other students had just finished writing a 2,900-word exam essay when the ransom message appeared on their screens. "My knee-jerk reaction was that I'd been hacked myself, because that's what it looked like," Palmer said.

The cyber-attack caused the Canvas service to go down, disrupting exams at thousands of universities and colleges. Some final exams were delayed in response to the breach. Mississippi State University announced some exams would be postponed to allow students to recover any lost work.

The data breach involved student ID numbers, email addresses, names and messages on the Canvas platform, according to Steve Proud. Instructure found no evidence that passwords, dates of birth, government identification or financial information were compromised.

Canvas is used by schools and universities to manage grades, digital lectures, course materials, discussion boards, messaging between students and instructors, quizzes, exams and final project submissions.

The attack created chaos for students and faculty members who were locked out of a platform they rely on for nearly all aspects of instruction. Shiny Hunters claimed it had hacked Canvas twice before the 29 April 2026 attack. The group also claimed it breached Instructure again in April 2026 ahead of the 29 April attack.

Instructure disclosed a breach in September 2025. Instructure is working with expert vendors to perform a forensic analysis, further harden its systems and carry out a comprehensive review of the data involved. The company will hold a webinar for its leadership on Wednesday to provide details of the attack and discuss measures to harden the system.