ShinyHunters Targets Instructure in Massive Education Data Breach A criminal extortion group called ShinyHunters has claimed responsibility for a major cyberattack. The group targeted Instructure, the parent company of the widely used Canvas learning platform. ShinyHunters claims to have stolen data from approximately 9,000 schools worldwide. The breach reportedly affects around 275 million students and teachers. Duke University’s Information Technology Security Office confirmed that Duke was among the affected institutions. The office sent a Wednesday evening email to all faculty and students confirming the breach. Universities across the country scrambled to respond to the developing crisis. Schools including the University of Oklahoma, the University of Pennsylvania, and the University of Houston were all affected. Rutgers University, the University of Colorado Boulder, and Tilburg University issued warnings to their students. Those schools urged students to stay vigilant against potential phishing emails. Santa Rosa Junior College also confirmed a service outage. However, that college did not publicly disclose a cyberattack as the cause. What Data Did Hackers Steal? ShinyHunters claims the stolen data includes certain identifying information about users. According to Instructure’s status page, the compromised data includes names, email addresses, and student ID numbers. Hackers also accessed messages exchanged between users on the platform. Instructure reported finding no indication that passwords or financial information were compromised. The scale of the breach alarmed students and administrators alike. Photography senior Raphael Fernandez at the University of Houston described the situation as “frustrating.” He faced a final exam due date that coincided with the outage. “I just hope it’s either resolved soon or there’s an alternative to make up the final,” Fernandez said. Fernandez added that he had an A in the class. He warned that an inability to submit his exam would drop his grade significantly. He questioned why a company serving thousands of schools lacked stronger security. His frustration reflected the anxiety felt by students nationwide. Students Scramble as Canvas Goes Dark Students at multiple campuses reported being unable to access Canvas entirely. They could not submit assignments or complete online final exams. Many campuses advised students to avoid logging into Canvas altogether. The timing proved especially damaging, as many schools were deep into final examination periods. At Santa Rosa Junior College, student Anthony Rodriguez expressed concern about the outage. “At this moment it’s going to be affecting me, because I need to check on work that needs to be done for finals,” Rodriguez said. He added that he hoped authorities would resolve the issue quickly. Frustration spread rapidly across campuses nationwide. Anna, a student at Napa Valley College, also expressed serious concern. She faced a hard deadline of 5:00 p.m. on Sunday for submitting all her work. “If there is a delay that sets me back for half-a-day, it’s going to be really stressful,” she said. Her experience highlighted the real academic consequences of the attack. ShinyHunters Issues an Ultimatum On the afternoon of May 7, Canvas became nonfunctional again. A message from ShinyHunters appeared directly on user dashboards. The hackers accused Instructure of ignoring their initial demands. They claimed Instructure had simply applied security patches rather than negotiating with them. “ShinyHunters has breached Instructure (again),” the dashboard message stated. The hackers instructed affected schools to consult a cyber advisory firm. They then demanded that schools contact ShinyHunters directly to negotiate a settlement. The group set a firm deadline of May 12, 2026 to prevent the release of stolen data. “You have till the end of the day by 12 May 2026 before everything is leaked,” the message warned. Around 4:20 p.m., Canvas replaced the hackers’ message with a maintenance notice. At 4:41 p.m., Instructure updated its official status page to confirm an active investigation. The company stated it was “currently investigating this issue.” Who Are ShinyHunters? ShinyHunters operate as a criminal black hat hacking group. They target organizations specifically to extort victims for financial gain. If targets refuse to pay, the group threatens to leak or sell the stolen data. Their name draws inspiration from the Pokémon video game series, where players hunt for rare “shiny” versions of Pokémon. The group has a long and aggressive history of high-profile attacks. Past targets include Microsoft, Rockstar Games, the European Commission, and SoundCloud. They also previously targeted GitHub, Pornhub, and Mathways. ShinyHunters noted in their message that this represents their second successful breach of Instructure. The hackers criticized Instructure directly for their response to the first breach. The hackers themselves criticized the company’s initial response as dismissive. They claimed Instructure ignored them and only applied security patches. That response, they argued, failed to address the underlying security vulnerabilities. Instructure Responds as Investigation Continues Instructure initially declared the incident resolved on Wednesday at 5:15 p.m. The company stated that Canvas was fully operational and showed no ongoing unauthorized activity. However, the second breach on May 7 directly contradicted that assessment. The new attack demonstrated that the threat had not been eliminated. Duke University did not respond to media requests for comment on the new developments. The university did not confirm whether it planned to contact ShinyHunters. Most Duke students were not actively using Canvas at the time of the second attack. Undergraduate final examinations had already concluded on May 2, with Summer Term I not starting until May 13. Multiple campus newspapers reported the evolving situation in real time. The Collegiate Times and The Daily Pennsylvanian both reported the ShinyHunters dashboard message. Community college districts, including Rancho Santiago and Peralta, also sent email blasts to their students. Schools across the country continue to monitor the situation closely. What Students and Schools Should Do Now Several universities have already urged students to watch for suspicious emails. Phishing attacks frequently follow major data breaches. Hackers often use stolen email addresses to craft convincing fake messages. Students should treat unexpected emails requesting login credentials with extreme caution. The breach exposed names, email addresses, and student ID numbers at minimum. Students at affected schools should monitor their accounts for unusual activity. Institutions are also advised to consult cybersecurity professionals immediately. The May 12 deadline set by ShinyHunters continues to pressure administrators to act swiftly. Post navigation White House Eyes AI Oversight Body to Review Powerful Models Before Public Release