The cybercrime group ShinyHunters claimed responsibility on May 3, 2026, for breaching Instructure, the company that runs Canvas. Instructure confirmed that names, email addresses, student ID numbers, and messages between users were accessed at roughly 9,000 schools worldwide. The company says there is no evidence that passwords, financial data, or government IDs were exposed. Hackers extended their "pay or leak" deadline to May 12. Here's what you should do this week.

If your college or high school uses Canvas — and there's a strong chance it does — this breach affects you directly.

On May 3, 2026, the cybercrime group ShinyHunters announced it had compromised Instructure, the Utah-based company behind the Canvas Learning Management System. The group shared a list of 8,809 institutions with cybersecurity researchers — school districts, universities, and online education platforms whose Canvas data they claim to have accessed.1

What Data Was Actually Taken

Instructure's chief information security officer Steve Proud confirmed in a statement that "certain identifying information" was accessed. According to Instructure, that information includes:

  • Full names
  • Email addresses
  • Student ID numbers
  • Messages exchanged between users on Canvas

The company also stated it has found "no evidence that passwords, dates of birth, government identifiers, or financial information were involved."2

This matters. No passwords means your Canvas login was not directly compromised. No financial data means your bank account and federal aid information are not at immediate risk from this incident.

What was taken — names, emails, and direct messages — is enough to run highly targeted phishing campaigns. That is the real threat right now.

If you receive any email appearing to come from Canvas, your school's IT department, or a financial aid office asking you to verify your account or click a login link, treat it as suspicious. Do not click. Report it to your school's IT helpdesk first.

Which Schools Were Affected

ShinyHunters shared a list with cybersecurity researchers but the full list has not been publicly released. Instructure said it is notifying affected institutions directly.

Several universities have already issued statements. Wayne State College in Nebraska posted an official cybersecurity incident update on May 7.1 Harvard's Canvas systems showed access disruptions the morning of May 8, with the Harvard Crimson reporting that some students temporarily lost access to the platform during finals week.

If your school uses Canvas and you have not received an official notification, that does not mean your data is safe. It may mean your school is still assessing its status, or that Instructure has not yet reached out to them.

The May 12 Deadline

ShinyHunters originally set a May 6 deadline for Instructure to negotiate, then extended it to May 12, 2026. After that date, the group has threatened to publish stolen data publicly.

This is consistent with the group's past tactics. ShinyHunters has previously run similar "pay or leak" campaigns against Salesforce, McGraw Hill, and Infinite Campus.2

Instructure has not publicly stated how it plans to respond to the demand.

The May 12 deadline creates urgency for the hackers, not for you. The steps below apply regardless of what happens on that date — take them now, not because of the deadline, but because they reduce your exposure from any breach.

What to Do in the Next 24 Hours

Change your Canvas password today. Even though Instructure says passwords were not taken, changing it now costs you 60 seconds and removes one variable.

Check your email at haveibeenpwned.com. Enter your school email address. If it appears in previous breach records, your risk from phishing is meaningfully higher.

Flag suspicious messages immediately. Any message asking you to verify your account, update your Canvas login, or confirm financial aid information should be reported to your school's IT helpdesk before you click anything.

Do not worry about your financial aid. Canvas does not store your Social Security number, FAFSA data, or bank account information. For information on how your financial aid data is actually stored and managed, see our guide to filling out the FAFSA.

Contact your school's IT department. Ask directly whether your institution was on the affected list. Many schools are proactively emailing students — check your official school email, not your personal account.

How This Affects Finals Week

Thousands of students lost access to Canvas for periods of time during the first week of May — exactly when most schools enter their final exam period.1 Assignment submissions, exam instructions, and course materials hosted inside Canvas were disrupted for some students.

If you are affected, email your professor or department directly through your school email address. Ask for an alternative submission method if Canvas is inaccessible. Most schools have contingency procedures for exactly this kind of technical failure.

Managing your time and communication during this kind of disruption is stressful, especially alongside finals. Our guide to effective studying in college covers strategies that do not depend on any single platform, and our time management tips for college students can help you stay on track when technology fails you.

If the stress of a security incident on top of finals is hitting harder than expected, our resource on mental health support in college lists options — including free, same-day options — that do not require an appointment.

Why Education Platforms Keep Getting Targeted

This is reportedly the second time ShinyHunters has targeted Instructure specifically. Education technology platforms concentrate enormous amounts of personal data on millions of users, and many schools operate with lean IT security budgets.

The most useful response to a breach like this is not panic. It is to take the specific steps above and then monitor your email carefully in the weeks ahead. Your grades, your financial aid, and your enrollment are not in jeopardy because of this incident.

For broader college safety guidance and resources available to you on campus, our safety guide covers both digital and in-person support.

Check your official school email for institution-specific guidance. That is the most reliable place to get confirmed information as this situation continues to develop.

Your Action Plan

  1. Change your Canvas password now
  2. Run your school email through haveibeenpwned.com
  3. Report any suspicious emails to your school's IT helpdesk
  4. Email your professor directly if Canvas access is disrupting your finals
  5. Monitor your school's official communications for institution-specific updates

Footnotes

  1. Inside Higher Ed. (2026, May 7). Hackers Target Canvas—Again. Inside Higher Ed. https://www.insidehighered.com/news/quick-takes/2026/05/07/hackers-target-canvas-again 2 3

  2. DataBreaches.net. (2026, May 7). Developing: ShinyHunters Hacks Instructure Again; Canvas Down. DataBreaches.net. https://databreaches.net/2026/05/07/developing-shinyhunters-hacks-instructure-again-canvas-down/ 2