A hacking group just pulled off the largest education data breach in history — and instead of negotiating with the company they breached, they’re going directly to schools with an ultimatum: pay us by May 12, or we dump every student’s private data on the internet. ShinyHunters, the same group that breached Ticketmaster and AT&T, has compromised Instructure’s Canvas learning management system for the second time, claiming to have stolen data from 275 million users across nearly 9,000 schools worldwide.
That’s not a typo. Two hundred and seventy-five million students, teachers, and administrators — from Harvard to community colleges to K-12 districts — just had their names, email addresses, student IDs, and billions of private messages siphoned out of the platform they use every single day. And the company that was supposed to protect that data? It apparently couldn’t even stop the same attackers from walking in a second time.
ShinyHunters Didn’t Just Hack Canvas — They Came Back and Did It Again
Here’s what makes this breach different from the typical “we regret to inform you” corporate data incident. ShinyHunters first compromised Instructure back in April 2026. When Instructure reportedly failed to engage with the group or negotiate any kind of payment, ShinyHunters didn’t walk away — they came back and hit the company again. This time, they defaced login pages at several schools to prove they still had access, essentially spray-painting their calling card across the front door while the security team was supposedly inside fixing the locks.
According to reports from DataBreaches.net, the stolen data includes what Instructure calls “certain identifying information” — names, email addresses, and student ID numbers. But the real bomb is the billions of private messages exchanged between users on the Canvas platform. Think about what students and teachers discuss through a learning management system: grades, disciplinary issues, mental health accommodations, personal struggles, academic integrity concerns. This isn’t a trove of marketing emails. This is deeply personal communication that was never meant to see daylight.
The Ransom Model Has Changed — And Schools Are the New Targets
What ShinyHunters is doing here represents a genuinely disturbing evolution in ransomware tactics. Instead of pressuring Instructure — a $4 billion publicly traded company with resources to fight back — they’ve gone around the vendor entirely. The group posted a notice instructing individual schools to contact them directly to negotiate settlements for their own data. The deadline is May 12, 2026. After that, the group says it will begin leaking everything.
This is the cyber equivalent of kidnapping a building full of people and then calling each person’s family separately to negotiate individual ransoms. It’s designed to maximize pressure and create chaos — because while Instructure might have the resources and legal cover to refuse payment, a small school district in North Carolina or a mid-tier university in India almost certainly doesn’t have the same risk tolerance. Some of these institutions will pay. ShinyHunters is banking on it.
WRAL reported that Canvas went down across North Carolina schools during one of the most critical stretches of the academic year — end-of-semester exams and final assignments. Students couldn’t access their coursework. Teachers couldn’t post grades. The timing was almost certainly intentional.
Instructure’s Track Record Makes This Worse
Instructure isn’t some scrappy startup that got caught off guard. This is a company that dominates the learning management system market globally, used by universities including Harvard, Duke, and thousands of K-12 districts. It was taken private by Thoma Bravo in 2020 for $2 billion, then went public again. The company had every resource and every reason to build fortress-level security around student data — and it failed. Twice. By the same attackers.
The fact that ShinyHunters could breach the same platform twice within weeks suggests something fundamentally broken in Instructure’s security architecture. Either the initial breach wasn’t fully remediated, the attackers maintained persistent access that wasn’t detected, or there are systemic vulnerabilities that a single patch can’t fix. None of these possibilities are comforting if you’re a parent whose child uses Canvas every day.
Why Education Is Now the Softest Target in Tech
This breach exposes a structural problem that the edtech industry has been ignoring for years. Schools are sitting on some of the most sensitive personal data imaginable — information about minors, their academic performance, their behavioral records, their private communications with trusted adults — and they’re storing all of it on platforms built by companies that prioritize feature development and growth over security investment.
The Malwarebytes analysis of this breach puts it bluntly: education institutions have become prime targets precisely because they hold enormous volumes of sensitive data, operate on tight budgets that limit security spending, and rely on a small number of dominant platforms that create single points of failure. When you compromise Canvas, you don’t get one school — you get nine thousand of them in a single operation.
Compare this to how the financial sector handles data protection. Banks face constant cyberattacks, but the regulatory framework — SOX, PCI DSS, regular audits — forces a baseline level of security investment. Education has FERPA, which sets privacy rules but doesn’t mandate specific security standards. The result is a sector where the sensitivity of the data wildly exceeds the rigor of its protection.
The Clock Is Ticking — And There’s No Good Option
Schools affected by this breach now face an impossible choice with the May 12 deadline looming. Pay ShinyHunters — which funds criminal enterprise, violates most institutional policies, and provides no guarantee the data won’t be leaked anyway. Or refuse to pay — and potentially expose hundreds of millions of students’ private communications and personal information to the open internet.
Instructure, for its part, has been largely quiet. The company acknowledged the incident but hasn’t released a detailed public accounting of what was taken, how the breach occurred, or what it’s doing to prevent a third compromise. For a company that holds the digital academic lives of 275 million people, that silence is deafening.
Times Higher Education warns that the stolen data — particularly email addresses paired with student IDs and institutional affiliations — creates a perfect foundation for highly targeted phishing attacks. Students who are accustomed to receiving legitimate emails from their Canvas platform will be prime targets for social engineering campaigns that impersonate their schools.
The Verdict
This isn’t just a data breach — it’s an indictment of the entire edtech security model. A single company’s failure just exposed the private academic and personal data of 275 million people, most of them students, many of them minors. The fact that the same hacking group breached the same platform twice should trigger regulatory investigations, not just incident response plans. If Instructure can’t protect the data of 9,000 schools, the question isn’t whether they need better security — it’s whether any single platform should be trusted with that much sensitive data in the first place. Schools have until Monday to decide whether to negotiate with criminals. That they’re in this position at all is the real scandal.
