ShinyHunters Claims Credit for Canvas LMS Cyberattack Affecting Schools and Students

The FBI has warned that ShinyHunters claimed responsibility for a cyberattack that disrupted an online learning management system used by educational institutions and students across the country. The platform has since returned to normal operation, but the agency warned that follow-on extortion and phishing risks may continue.

Instructure, the company behind Canvas LMS, said it detected unauthorized activity in Canvas on April 29, 2026. The company revoked the unauthorized party’s access, opened an investigation, and brought in outside forensic experts.

A second incident followed on May 7, when the same unauthorized actor gained additional access through another Canvas vulnerability. Instructure said the attackers changed pages seen by some students and teachers, prompting the company to place Canvas into maintenance mode while it contained the activity.

What happened in the Canvas incident

Instructure said the second attack was detected and disabled about 10 minutes after it began. The company said no additional data was accessed or exfiltrated during that second incident.

The company later confirmed that the unauthorized actor used one of its Free-For-Teacher accounts in both incidents. In response, Instructure temporarily shut down the Free-For-Teacher product while it works on a safer way to bring it back.

Canvas is now fully operational, according to Instructure and the FBI. Still, the incident remains important because attackers claimed access to data from schools and used public pressure tactics to force negotiations.

Canvas cyberattack at a glance

Item	Details
Platform	Canvas LMS by Instructure
Threat actor claim	ShinyHunters claimed responsibility
Initial detection	April 29, 2026
Second incident	May 7, 2026
Reported access path	Free-For-Teacher account abuse
Service status	Canvas is fully operational
Potentially affected data	Names, email addresses, student ID numbers, and Canvas messages
Data not believed affected	Passwords, birth dates, government IDs, and financial information

FBI warns about ShinyHunters extortion tactics

The FBI described ShinyHunters as a cybercriminal group known for large-scale data breaches and extortion. The group often claims access to sensitive records and uses that claim to pressure victims into paying.

The agency warned that some claims may be exaggerated or false. Even so, victims may receive emails, text messages, or phone calls from actors claiming to represent ShinyHunters.

The FBI also said ShinyHunters actors have used harassment tactics, including threats against victims and family members. In some cases, threat actors have used swatting, where false emergency reports trigger police responses.

What data may have been exposed

Instructure said the investigation found that some user data was involved in the incident. The data may include names, institutional email addresses, student ID numbers, and messages sent through Canvas.

The company said it found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. That distinction matters, but it does not remove the risk.

Names, school email addresses, student IDs, and message history can still help criminals craft realistic phishing messages. Attackers can use school context, course references, and internal communication patterns to make scams look more convincing.

Why education platforms are high-value targets

Learning management systems are now central to school and university operations. Students use them to access assignments, grades, course materials, discussions, exams, and messages from instructors.

That makes an LMS outage disruptive even if attackers do not encrypt systems. If students cannot log in during finals, submit work, or view course material, the disruption can affect academic deadlines and campus operations.

Education platforms also connect to many third-party systems. Single sign-on, gradebooks, student information systems, email tools, and integrations can widen the impact of one compromised platform.

Risks for students, teachers, and schools

• Phishing emails that impersonate teachers, IT teams, or school administrators.
• Fake password reset messages using real school names.
• Scams that reference Canvas, assignments, exams, or grades.
• Messages that pressure students or staff to click links quickly.
• Attempts to steal single sign-on credentials.
• Extortion emails claiming access to private student or faculty messages.

Instructure says it reached an agreement with the attacker

Instructure later said it had reached an agreement with the unauthorized actor to prevent publication of data involved in the incident. The company said data was returned and that it received digital confirmation, called shred logs, showing remaining copies were destroyed.

The company did not disclose whether a payment was involved. It also acknowledged that there is never complete certainty when dealing with cybercriminals.

That means affected institutions should continue preparing for phishing and social engineering even if public data leaks do not appear. Criminal groups can reuse information from past incidents, screenshots, or partial data long after an event ends.

What schools should do now

Schools using Canvas should continue following Instructure’s official guidance and local IT advisories. Administrators should also review account integrations, connected apps, and any credentials tied to Canvas workflows.

Institutions should warn students, faculty, and parents about phishing attempts that reference Canvas, grades, assignments, financial aid, or school login pages. Clear communication reduces the chance that users trust fake messages during a confusing incident.

Security teams should also review logs for suspicious Canvas-related login activity, unusual OAuth permissions, and unexpected API activity.

Priority	Action	Reason
High	Warn users about phishing	Attackers may use real education context to make scams believable.
High	Review Canvas integrations	Connected apps can create additional access paths.
High	Check single sign-on logs	Stolen credentials may be used after the incident.
Medium	Review API keys and OAuth tokens	Tokens may grant access without a normal password login.
Medium	Prepare official communication templates	Students and staff need a trusted source for updates.

What students and faculty should do

Students and faculty should avoid responding to extortion messages. They should also avoid clicking links in unexpected emails or text messages that claim to involve Canvas, grades, account verification, or school security.

The safest approach is to visit the school’s official website or Canvas login page directly. Users should not use links from unsolicited messages, even if the message includes accurate school details.

Anyone who receives a suspicious message should report it to their school’s IT department and keep copies of the message, sender details, phone numbers, and links.

FBI guidance for affected users

• Do not pay cybercriminals or respond to extortion demands.
• Verify suspicious messages through official school channels.
• Do not click unknown links or download unexpected attachments.
• Be cautious of calls, texts, or emails claiming to come from an LMS provider.
• Report incidents to school IT teams and the FBI’s Internet Crime Complaint Center.
• Keep evidence, including emails, screenshots, account names, phone numbers, and wallet addresses.

Why the incident matters

The Canvas incident shows how cyberattacks on education platforms can quickly become operational crises. A single LMS outage can affect thousands of classes, exams, grading workflows, and student communications.

It also shows why data theft and service disruption now overlap. Attackers may not need to encrypt systems to create pressure. They can steal data, deface pages, disrupt access, and then target institutions or users directly.

For schools, the next phase matters as much as the breach itself. Strong communication, phishing awareness, access review, and credential hygiene can reduce the damage from follow-on attacks.

Summary

• The FBI warned that ShinyHunters claimed responsibility for an LMS cyberattack affecting education users.
• Instructure identified unauthorized activity in Canvas on April 29 and May 7, 2026.
• The company said the attacker used one of its Free-For-Teacher accounts.
• Canvas is now fully operational, but Free-For-Teacher remains temporarily shut down.
• Potentially affected data includes names, email addresses, student ID numbers, and Canvas messages.
• Instructure said it found no evidence that passwords, birth dates, government IDs, or financial data were compromised.
• Schools and users should prepare for phishing, extortion messages, and impersonation attempts.

FAQ