ShinyHunters Stole 275 Million Student Records. The Ransom Deadline Is May 12. Solana ETFs Hit $1 Billion. So Why Is SOL Down 50%? Vibe Coding Is Fun Until Someone Gets Breached EU AI Act Is Live: What Every Tech Startup Must Do Now Why Bitcoin Is Down 37% From Its All-Time High — A Critical Analysis GPT-5.5 vs Claude Opus 4 — We Put Both Through Hell So You Don't Have To 10 Free Developer Tools That Don't Suck (and Actually Respect Your Time) $300 Billion in One Quarter — But Strip Out Four Companies and the Story Changes Completely TypeScript Hit Number One on GitHub. Now Comes the Hard Part. Rust Is Now in Half of All Enterprise Codebases — and the Language War Is the Wrong Thing to Watch
Cybersecurity

ShinyHunters Stole 275 Million Student Records. The Ransom Deadline Is May 12.

ShinyHunters breached Canvas/Instructure on April 25, claiming 275 million records from 8,809 schools. The ransom deadline is May 12. Here's the full breakdown and what to do.

Pramod Dhakal
Pramod Dhakal
May 8, 2026 · 8 min read
ShinyHunters Stole 275 Million Student Records. The Ransom Deadline Is May 12.
ShinyHunters Stole 275 Million Student Records. The Ransom Deadline Is May 12. — Hitechies
🚨 Breaking — May 8, 2026
Records stolen
275 million
Schools affected
8,809
Ransom deadline
May 12, 2026
Group
ShinyHunters
ShinyHunters — the same crew that hit Ticketmaster and Salesforce — breached Canvas on April 25. They're claiming 275 million student and teacher records across 8,809 schools. The ransom deadline is May 12. That's Tuesday. The same day Hitechies launches on Product Hunt, coincidentally — but more importantly, it's the day a lot of private conversations between students and teachers may become public.

Let's start with what Canvas actually is, because not everyone outside of education knows the name. Canvas is the learning management system used by 41% of universities and colleges in North America — and a significant chunk of K-12 schools too. It's where grades live. Where assignments get submitted. Where lecture videos are stored. And where students and teachers have private conversations they reasonably expected to stay private.

ShinyHunters didn't breach a peripheral system. They breached the platform where a generation of students does their schoolwork, and they did it quietly enough that Instructure — the company that runs Canvas — didn't notice until April 25, at which point the data was already gone.

How it unfolded — day by day

Timeline
Apr 25
Instructure discovers something is wrong. Internal investigation begins. No public disclosure.
May 3
ShinyHunters publishes a ransom note on Ransomware.live. They're annoyed Instructure "ignored them and did some security patches" instead of making contact. Deadline set for May 6, then extended. The note threatens to leak "billions of private messages among students and teachers."
May 5
Instructure CISO Steve Proud confirms the breach. Canvas goes dark for thousands of schools mid-semester. Harvard, Penn, Oklahoma, Wake County schools all report disruption. Students arriving at class to find their coursework inaccessible.
May 6
ShinyHunters publishes a list of 8,809 affected institutions with record counts ranging from tens of thousands to several million per school. Claims 275 million records total. Proud says the attack has been "contained." ShinyHunters disagrees.
May 7
Medtronic breach also attributed to ShinyHunters — millions of records. The group is running multiple extortion campaigns simultaneously.
May 12
The deadline. Pay or the data gets published. Four days from today.

Who ShinyHunters actually are — and why the profile matters

Threat actor

Threat analyst Luke Connolly at Emisoft describes ShinyHunters as a loose group of teenagers and young adults based primarily in the US and UK. That profile surprises people every time, because the scale of damage is genuinely extraordinary. Ticketmaster. Salesforce and dozens of its enterprise customers. Individual Ivy League universities. And now the biggest education platform in North America.

The strategy is not complicated, which is part of why it keeps working. Don't target the individual school. Target the platform that runs underneath 8,000 schools at once. The technical effort is the same, but the leverage is completely different. One successful breach of Instructure is a breach of Harvard, Penn, Duke, Wake County schools, and 8,806 other institutions simultaneously. The ransom negotiation happens with one company, but the threat covers everyone.

Why Instructure's response made things worse ShinyHunters' ransom note specifically called out Instructure's response: "Instead of contacting us to resolve it, they ignored us and did some 'security patches.'" Whether or not paying ransomware groups is the right call — and there are serious arguments against it — being publicly called out for ignoring contact while patching quietly is not a great look during an active extortion campaign. It suggests Instructure's incident response treated this as a technical problem to be fixed rather than an ongoing negotiation with people who still have the data.

This is also not the first time ShinyHunters has hit education technology. Last autumn they breached Salesforce and claimed one billion records across dozens of companies — Instructure was one of the named victims then too. The group has been targeting this sector repeatedly, successfully, and apparently without sufficient consequence to deter them.

What 275 million Canvas records actually contains

The data

The number is big enough to become abstract. What makes it concrete is thinking about what Canvas stores for a typical student.

Your grades. Every assignment you've submitted. Every piece of feedback a teacher gave you privately. Every direct message you've sent to a professor about struggling with coursework, requesting an extension, or discussing something you didn't want anyone else to see. Every message you've sent to a classmate through the platform. Course notes, lecture videos, your participation history.

Now multiply that by 275 million people. A lot of those people are minors — Canvas is used in K-12 schools, not just universities. Children's private messages. Student IDs. Academic records. All of it now in the hands of a group that has a history of publishing data when their demands aren't met.

What Instructure says was NOT stolen Duke's CISO reported that Instructure told the university no passwords, dates of birth, government identifiers, or financial information were involved — at least for Duke. The scope appears to vary by institution. The honest answer is that individual schools are getting different information about their own exposure, and the full picture of what was taken won't be clear until either Instructure discloses it or ShinyHunters publishes it.

What to actually do — students, parents, and IT teams

Action guide

The data has already been taken. Nothing changes that. What you can control is whether stolen credentials get used against you next.

Students and parents

Change your Canvas password now — especially if you reuse it anywhere else. A credential stuffing attack will test it against every major platform automatically.
Enable MFA on your Canvas account if your institution supports it. A stolen password with MFA enabled is significantly less useful.
Do not click any links in emails or texts about the breach. Open your school's website directly. ShinyHunters' data makes targeted phishing trivially easy — they know your name, your school, your teachers.
For parents of minors: Ask your school what identity protection is being offered. Consider a credit freeze on your child's file — children's identity fraud often isn't discovered until they're adults applying for credit.

IT and security teams

Enforce MFA on all privileged Canvas accounts immediately. Instructure specifically called this out in their breach response guidance.
Rotate all API tokens and keys connected to your Canvas instance. Treat them as compromised until proven otherwise.
Prepare for May 12. If ShinyHunters publishes the data, your institution's records become publicly available to every threat actor simultaneously. Brief your communications team now, not after it happens.
Get institution-specific information from Instructure directly — not from news reports. The scope of exposure varies significantly between institutions.
The pattern that keeps repeating This is the second major education data breach in six months. PowerSchool got hit in late 2025, paid the ransom, watched a video of the attacker "deleting" the data, and analysts immediately warned that extortion would continue anyway. The education sector has rich data, underfunded security teams, and deep dependency on third-party platforms. Every year this combination produces catastrophic breaches. Every year the response is surprise, patches, and a press release. At some point the surprise has to stop.

The May 12 deadline is four days away. We'll update this article as the situation develops — whether Instructure pays, whether data gets published, and what affected institutions are telling their students.

If you're a student, a parent, or work in education IT and your institution is on the list: the data is already gone. The question now is what happens next, and whether you've made it harder for stolen credentials to be used against you before you find out.

Check your institution's SSL certificate → Our free SSL Checker verifies any domain's certificate in seconds. No signup, nothing uploaded.

Check SSL Now

More Stories

See all in Cybersecurity →

Vibe Coding Is Fun Until Someone Gets Breached

91.5% of vibe-coded apps contain at least one security vulnerability. The tools are incredible — the defaults are dangerous. Here's what's actually going wrong, the eight failure modes that show up every time, and what to do before you ship something you'll regret.

· 14 min read ·